diff options
| author | Steffen Klassert <steffen.klassert@secunet.com> | 2014-09-16 04:08:40 -0400 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2014-09-16 04:08:40 -0400 |
| commit | f92ee61982d6da15a9e49664ecd6405a15a2ee56 (patch) | |
| tree | 014f5e6b027f1446b5bda041382b30262868bf86 /net/xfrm | |
| parent | 95cd6f488d164de462a8279e802a0ad05c33d167 (diff) | |
xfrm: Generate blackhole routes only from route lookup functions
Currently we genarate a blackhole route route whenever we have
matching policies but can not resolve the states. Here we assume
that dst_output() is called to kill the balckholed packets.
Unfortunately this assumption is not true in all cases, so
it is possible that these packets leave the system unwanted.
We fix this by generating blackhole routes only from the
route lookup functions, here we can guarantee a call to
dst_output() afterwards.
Fixes: 2774c131b1d ("xfrm: Handle blackhole route creation via afinfo.")
Reported-by: Konstantinos Kolelis <k.kolelis@sirrix.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/xfrm')
| -rw-r--r-- | net/xfrm/xfrm_policy.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index beeed602aeb3..7505674c9faa 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
| @@ -2138,7 +2138,7 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, | |||
| 2138 | xfrm_pols_put(pols, drop_pols); | 2138 | xfrm_pols_put(pols, drop_pols); |
| 2139 | XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES); | 2139 | XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES); |
| 2140 | 2140 | ||
| 2141 | return make_blackhole(net, family, dst_orig); | 2141 | return ERR_PTR(-EREMOTE); |
| 2142 | } | 2142 | } |
| 2143 | 2143 | ||
| 2144 | err = -EAGAIN; | 2144 | err = -EAGAIN; |
| @@ -2195,6 +2195,22 @@ dropdst: | |||
| 2195 | } | 2195 | } |
| 2196 | EXPORT_SYMBOL(xfrm_lookup); | 2196 | EXPORT_SYMBOL(xfrm_lookup); |
| 2197 | 2197 | ||
| 2198 | /* Callers of xfrm_lookup_route() must ensure a call to dst_output(). | ||
| 2199 | * Otherwise we may send out blackholed packets. | ||
| 2200 | */ | ||
| 2201 | struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig, | ||
| 2202 | const struct flowi *fl, | ||
| 2203 | struct sock *sk, int flags) | ||
| 2204 | { | ||
| 2205 | struct dst_entry *dst = xfrm_lookup(net, dst_orig, fl, sk, flags); | ||
| 2206 | |||
| 2207 | if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE) | ||
| 2208 | return make_blackhole(net, dst_orig->ops->family, dst_orig); | ||
| 2209 | |||
| 2210 | return dst; | ||
| 2211 | } | ||
| 2212 | EXPORT_SYMBOL(xfrm_lookup_route); | ||
| 2213 | |||
| 2198 | static inline int | 2214 | static inline int |
| 2199 | xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl) | 2215 | xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl) |
| 2200 | { | 2216 | { |